Review: Patch Tuesday September 2016
This Patch Tuesday introduces seven critical and seven important bulletins amounting to a total of 14 bulletins. Overall, 47 vulnerabilities were addressed making this a fairly hefty patch cycle.
Kicking off the month, Internet Explorer is patched for five memory corruptions, an elevation of privilege, three information disclosures, and a security feature bypass. The memory corruption vulnerabilities are the most severe issues, as they can allow a remote attacker to execute arbitrary code. To exploit this vulnerability, an attacker would host a malicious webpage and entice a victim to browse to it.
Next up is Edge, which is patched for similar issues to those that plagued IE – seven memory corruptions and five information disclosure vulnerabilities, making this a critically-rated bulletin. While it is good to see security issues being addressed in Edge, it is disheartening to see it suffer from more critical vulnerabilities than its predecessor on Patch Tuesday.
This critically-rated bulletin resolves three elevation of privilege vulnerabilities, an information disclosure, and a remote code execution vulnerability. Since these vulnerabilities exist within the Kernel, exercising least-privilege does not help to mitigate the impact. Full system compromise is possible, making this a high-priority update.
Office is patched for ten memory corruptions, an ASLR bypass, an information disclosure, and a spoofing vulnerability. The most severe vulnerability types, the memory corruption vulnerabilities, occur due to improperly handling objects in memory which can lead to code execution. Additionally, the ASLR bypass vulnerability only applies to click-to-run type installations.
Microsoft Exchange Server returns to our radar with modest vulnerabilities that allow for Information Disclosure, Spoofing, and Elevation of Privilege. In addition, there are multiple vulnerabilities in third-party code, “Oracle Outside In libraries” but Microsoft is releasing this update to ensure that all customers using the third-party code are protected. The vulnerabilities in the third-party code can result in Remote Code Execution, Denial of Service, and Information Disclosure.
A vulnerability exists in Silverlight that could allow an attacker to execute arbitrary code on a system if a user visits a malicious website. The flaw stems from Silverlight improperly handling objects in memory, allowing attacker to corrupt system memory and gain the same access as the current user. If that user has administrative rights, an attacker could take complete control of the system.
This bulletin addresses vulnerabilities in all versions of Microsoft Windows excluding Itanium-based servers. There have been multiple vulnerabilities reported, the most extreme of which would allow an attacker to craft a request that could execute arbitrary code with elevated privileges. Other vulnerabilities include information disclosure, remote code execution, and denial of service. Microsoft corrected issues with how Windows enforces permissions, NT Lan Manager single sign-on, and handling objects in memory.
The Windows Kernel makes its routine visit on Patch Tuesday with multiple vulnerabilities. Each of the vulnerabilities in Windows Kernel can result in Elevation of Privilege. An attacker exploiting this vulnerability could impersonate processes, inject cross-process communication, interrupt system functionality, and gain access to user account information.
An issue has been resolved in windows that allowed an attacker to elevate of privileges from the windows lock screen. An Attacker could connect a malicious wifi hotspot or connect a broadband adapter to computer and load web content. Microsoft corrected the issue by fixing the behavior of the lock screen.
It has been found that Windows Secure Kernel Mode improperly handles objects in memory. The memory corruption leaks information to the attacker, and the attacker could combine this with additional vulnerabilities to further exploit the system. While this is not a complete compromise of the system, the sensitivity of the content contained in Windows Secure Kernel Mode makes any information leak a powerful tool in an attacker’s hands.
A Microsoft Server Message Block 1.0 (SMBv1) vulnerability has been discovered that stems from when an attacker sends a specially crafted packet to a SMBv1 server. This vulnerability only effects the 1.0 version of SMB. For this vulnerability to be successfully exploited, an attacker has to be authenticated with the server and have permissions to open files on the target. This was addressed by changing how SMB handles specially crafted requests.
Microsoft Windows PDF Library makes an appearance in this month’s Patch Tuesday. The library contains two Information Disclosure vulnerabilities. The Information disclosure vulnerabilities revolve around how the library handles objects in memory, and if the attacker crafts a malicious PDF the attacker could read the leaked information from memory. In order to exploit this vulnerability the attacker would have to lure the victim to a web page hosting the malicious PDF, or trick the user into opening the PDF locally within edge.
OLE Automation for VBScript Scripting Engine contains a remote code execution vulnerability. The vulnerability revolved around how the VBScript Scripting Engine in Internet Explorer accesses objects in memory. By exploiting this vulnerability, the attacker could corrupt memory such that code could be executed within the context of the local user. If the user is logged in with administrative rights, the attacker could control the affected system.
Adobe Flash Player contains critical vulnerabilities that could be used to execute arbitrary code on the target system. This update addresses the vulnerabilities that are described in APSB16-29 from Adobe. In order to exploit these vulnerabilities an attacker would have to lure a victim to a compromised website with malicious content designed to take advantage of these vulnerabilities.